Search

Please login in for more filter options

Kickstart your project with AVM templates.

AVM Bicep Modules
AVM Terraform Modules

containerregistry-registry

avm-terraform

report
Report Package containerregistry-registry

If you believe that this package or its contents contain harmful information, please inform us.
Please be aware that we will never share your credentials.

Please let us know what this package contains.
Please enter a valid email address.

This Terraform Azure Verified Module deploys: terraform-azurerm-avm-res-containerregistry-registry

ipm add --package avm-terraform/containerregistry-registry --version 0.5.1

Published: 16-01-2026

Project URL: https://ipmhub.io/avm-terraform

Package Type: Terraform

License: MIT

terraform-azurerm-avm-containerregistry

Module to deploy Container Registries in Azure.

As a starting point, the azurerm_container_registry resource has been implemented, noting this supports all attributes such as georeplication and zone redundancy.

[!WARNING] Major version Zero (0.y.z) is for initial development. Anything MAY change at any time. A module SHOULD NOT be considered stable till at least it is major version one (1.0.0) or greater. Changes will always be via new versions being published and no changes will be made to existing published versions. For more details please go to https://semver.org/

Requirements

The following requirements are needed by this module:

Resources

The following resources are used by this module:

Required Inputs

The following input variables are required:

location

Description: Azure region where the resource should be deployed.

Type: string

name

Description: The name of the Container Registry.

Type: string

resource_group_name

Description: The resource group where the resources will be deployed.

Type: string

Optional Inputs

The following input variables are optional (have default values):

admin_enabled

Description: Specifies whether the admin user is enabled. Defaults to false.

Type: bool

Default: false

anonymous_pull_enabled

Description: Specifies whether anonymous (unauthenticated) pull access to this Container Registry is allowed. Requries Standard or Premium SKU.

Type: bool

Default: false

customer_managed_key

Description: A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
Controls the Customer managed key configuration on this resource. The following properties can be specified:

  • key_vault_resource_id - (Required) Resource ID of the Key Vault that the customer managed key belongs to.
  • key_name - (Required) Specifies the name of the Customer Managed Key Vault Key.
  • key_version - (Optional) The version of the Customer Managed Key Vault Key.
  • user_assigned_identity - (Optional) The User Assigned Identity that has access to the key.
    • resource_id - (Required) The resource ID of the User Assigned Identity that has access to the key.

Type:

object({
    key_vault_resource_id = string
    key_name              = string
    key_version           = optional(string, null)
    user_assigned_identity = optional(object({
      resource_id = string
    }), null)
  })

Default: null

data_endpoint_enabled

Description: Specifies whether to enable dedicated data endpoints for this Container Registry. Requires Premium SKU.

Type: bool

Default: false

diagnostic_settings

Description: A map of diagnostic settings to create on the Container Registry. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

  • name - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
  • log_categories - (Optional) A set of log categories to send to the log analytics workspace. Defaults to [].
  • log_groups - (Optional) A set of log groups to send to the log analytics workspace. Defaults to ["allLogs"].
  • metric_categories - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to ["AllMetrics"].
  • log_analytics_destination_type - (Optional) The destination type for the diagnostic setting. Possible values are Dedicated and AzureDiagnostics. Defaults to Dedicated.
  • workspace_resource_id - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
  • storage_account_resource_id - (Optional) The resource ID of the storage account to send logs and metrics to.
  • event_hub_authorization_rule_resource_id - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
  • event_hub_name - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
  • marketplace_partner_resource_id - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.

Type:

map(object({
    name                                     = optional(string, null)
    log_categories                           = optional(set(string), [])
    log_groups                               = optional(set(string), ["allLogs"])
    metric_categories                        = optional(set(string), ["AllMetrics"])
    log_analytics_destination_type           = optional(string, "Dedicated")
    workspace_resource_id                    = optional(string, null)
    storage_account_resource_id              = optional(string, null)
    event_hub_authorization_rule_resource_id = optional(string, null)
    event_hub_name                           = optional(string, null)
    marketplace_partner_resource_id          = optional(string, null)
  }))

Default: {}

enable_telemetry

Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.

Type: bool

Default: false

enable_trust_policy

Description: Specified whether trust policy is enabled for this Container Registry.

Type: bool

Default: false

export_policy_enabled

Description: Specifies whether export policy is enabled. Defaults to true. In order to set it to false, make sure the public_network_access_enabled is also set to false.

Type: bool

Default: true

georeplications

Description: A list of geo-replication configurations for the Container Registry.

  • location - (Required) The geographic location where the Container Registry should be geo-replicated.
  • regional_endpoint_enabled - (Optional) Enables or disables regional endpoint. Defaults to true.
  • zone_redundancy_enabled - (Optional) Enables or disables zone redundancy. Defaults to true.
  • tags - (Optional) A map of additional tags for the geo-replication configuration. Defaults to null.

Type:

list(object({
    location                  = string
    regional_endpoint_enabled = optional(bool, true)
    zone_redundancy_enabled   = optional(bool, true)
    tags                      = optional(map(any), null)
  }))

Default: []

lock

Description: Controls the Resource Lock configuration for this resource. The following properties can be specified:

  • kind - (Required) The type of lock. Possible values are \"CanNotDelete\" and \"ReadOnly\".
  • name - (Optional) The name of the lock. If not specified, a name will be generated based on the kind value. Changing this forces the creation of a new resource.

Type:

object({
    kind = string
    name = optional(string, null)
  })

Default: null

managed_identities

Description: Controls the Managed Identity configuration on this resource. The following properties can be specified:

  • system_assigned - (Optional) Specifies if the System Assigned Managed Identity should be enabled.
  • user_assigned_resource_ids - (Optional) Specifies a list of User Assigned Managed Identity resource IDs to be assigned to this resource.

Type:

object({
    system_assigned            = optional(bool, false)
    user_assigned_resource_ids = optional(set(string), [])
  })

Default: {}

network_rule_bypass_option

Description: Specifies whether to allow trusted Azure services access to a network restricted Container Registry.
Possible values are None and AzureServices. Defaults to None.

Type: string

Default: "None"

network_rule_set

Description: The network rule set configuration for the Container Registry.
Requires Premium SKU.

  • default_action - (Optional) The default action when no rule matches. Possible values are Allow and Deny. Defaults to Deny.
  • ip_rules - (Optional) A list of IP rules in CIDR format. Defaults to [].
    • action - Only "Allow" is permitted
    • ip_range - The CIDR block from which requests will match the rule.

Type:

object({
    default_action = optional(string, "Deny")
    ip_rule = optional(list(object({
      # since the `action` property only permits `Allow`, this is hard-coded.
      action   = optional(string, "Allow")
      ip_range = string
    })), [])
  })

Default: null

private_endpoints

Description: A map of private endpoints to create on the Container Registry. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

  • name - (Optional) The name of the private endpoint. One will be generated if not set.
  • role_assignments - (Optional) A map of role assignments to create on the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time. See var.role_assignments for more information.
    • role_definition_id_or_name - The ID or name of the role definition to assign to the principal.
    • principal_id - The ID of the principal to assign the role to.
    • description - (Optional) The description of the role assignment.
    • skip_service_principal_aad_check - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
    • condition - (Optional) The condition which will be used to scope the role assignment.
    • condition_version - (Optional) The version of the condition syntax. Leave as null if you are not using a condition, if you are then valid values are '2.0'.
    • delegated_managed_identity_resource_id - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
    • principal_type - (Optional) The type of the principal_id. Possible values are User, Group and ServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
  • lock - (Optional) The lock level to apply to the private endpoint. Default is None. Possible values are None, CanNotDelete, and ReadOnly.
    • kind - (Required) The type of lock. Possible values are \"CanNotDelete\" and \"ReadOnly\".
    • name - (Optional) The name of the lock. If not specified, a name will be generated based on the kind value. Changing this forces the creation of a new resource.
  • tags - (Optional) A mapping of tags to assign to the private endpoint.
  • subnet_resource_id - The resource ID of the subnet to deploy the private endpoint in.
  • private_dns_zone_group_name - (Optional) The name of the private DNS zone group. One will be generated if not set.
  • private_dns_zone_resource_ids - (Optional) A set of resource IDs of private DNS zones to associate with the private endpoint. If not set, no zone groups will be created and the private endpoint will not be associated with any private DNS zones. DNS records must be managed external to this module.
  • application_security_group_resource_ids - (Optional) A map of resource IDs of application security groups to associate with the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
  • private_service_connection_name - (Optional) The name of the private service connection. One will be generated if not set.
  • network_interface_name - (Optional) The name of the network interface. One will be generated if not set.
  • location - (Optional) The Azure location where the resources will be deployed. Defaults to the location of the resource group.
  • resource_group_name - (Optional) The resource group where the resources will be deployed. Defaults to the resource group of the Container Registry.
  • ip_configurations - (Optional) A map of IP configurations to create on the private endpoint. If not specified the platform will create one. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
    • name - The name of the IP configuration.
    • private_ip_address - The private IP address of the IP configuration.

Type:

map(object({
    name = optional(string, null)
    role_assignments = optional(map(object({
      role_definition_id_or_name             = string
      principal_id                           = string
      description                            = optional(string, null)
      skip_service_principal_aad_check       = optional(bool, false)
      condition                              = optional(string, null)
      condition_version                      = optional(string, null)
      delegated_managed_identity_resource_id = optional(string, null)
      principal_type                         = optional(string, null)
    })), {})
    lock = optional(object({
      kind = string
      name = optional(string, null)
    }), null)
    tags                                    = optional(map(string), null)
    subnet_resource_id                      = string
    private_dns_zone_group_name             = optional(string, "default")
    private_dns_zone_resource_ids           = optional(set(string), [])
    application_security_group_associations = optional(map(string), {})
    private_service_connection_name         = optional(string, null)
    network_interface_name                  = optional(string, null)
    location                                = optional(string, null)
    resource_group_name                     = optional(string, null)
    ip_configurations = optional(map(object({
      name               = string
      private_ip_address = string
    })), {})
  }))

Default: {}

private_endpoints_manage_dns_zone_group

Description: Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy.

Type: bool

Default: true

public_network_access_enabled

Description: Specifies whether public access is permitted.

Type: bool

Default: true

quarantine_policy_enabled

Description: Specifies whether the quarantine policy is enabled.

Type: bool

Default: false

retention_policy_in_days

Description: If enabled, this retention policy will purge an untagged manifest after a specified number of days.

  • days - (Optional) The number of days before the policy Defaults to 7 days.

Type: number

Default: 7

role_assignments

Description: A map of role assignments to create on the . The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

  • role_definition_id_or_name - The ID or name of the role definition to assign to the principal.
  • principal_id - The ID of the principal to assign the role to.
  • description - (Optional) The description of the role assignment.
  • skip_service_principal_aad_check - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
  • condition - (Optional) The condition which will be used to scope the role assignment.
  • condition_version - (Optional) The version of the condition syntax. Leave as null if you are not using a condition, if you are then valid values are '2.0'.
  • delegated_managed_identity_resource_id - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
  • principal_type - (Optional) The type of the principal_id. Possible values are User, Group and ServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

Note: only set skip_service_principal_aad_check to true if you are assigning a role to a service principal.

Type:

map(object({
    role_definition_id_or_name             = string
    principal_id                           = string
    description                            = optional(string, null)
    skip_service_principal_aad_check       = optional(bool, false)
    condition                              = optional(string, null)
    condition_version                      = optional(string, null)
    delegated_managed_identity_resource_id = optional(string, null)
    principal_type                         = optional(string, null)
  }))

Default: {}

scope_maps

Description: A map of scope maps to create on the Container Registry. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

  • name - The name of the scope map.
  • actions - A list of actions that this scope map can perform. Example: "repo/content/read", "repo2/content/delete"
  • description - The description of the scope map.
  • registry_tokens - A map of Azure Container Registry token associated to a scope map. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
    • name - Specifies the name of the token.
    • enabled - Should the Container Registry token be enabled? Defaults to true.
    • passwords - The passwords of the token. The first password is required, the second password is optional.
      • password1 - The first password of the token.
        • expiry - The expiry date of the first password. If not specified, the password will not expire.
      • password2 - The second password of the token.
        • expiry - The expiry date of the second password. If not specified, the password will not expire.

Type:

map(object({
    name        = string
    actions     = list(string)
    description = optional(string, null)
    registry_tokens = optional(map(object({
      name    = string
      enabled = optional(bool, true)
      passwords = optional(object({
        password1 = object({
          expiry = optional(string)
        })
        password2 = optional(object({
          expiry = optional(string)
        }))
      }))
    })))
  }))

Default: {}

sku

Description: The SKU name of the Container Registry. Default is Premium. Possible values are Basic, StandardandPremium.

Type: string

Default: "Premium"

tags

Description: (Optional) Tags of the resource.

Type: map(string)

Default: null

zone_redundancy_enabled

Description: Specifies whether zone redundancy is enabled. Modifying this forces a new resource to be created.

Type: bool

Default: true

Outputs

The following outputs are exported:

name

Description: The name of the parent resource.

private_endpoints

Description: A map of private endpoints. The map key is the supplied input to var.private_endpoints. The map value is the entire azurerm_private_endpoint resource.

resource

Description: This is the full output for the resource.

resource_id

Description: The resource id for the parent resource.

scope_maps

Description: A map of scope maps. The map key is the supplied input to var.scope_maps. The map value is the entire scope map module.
The scope map module contains the following outputs:

  • id - The ID of the Container Registry Scope Map.
  • registry_tokens - The registry token object.
    • id - The ID of the Container Registry token.
    • registry_token_passwords - The registry token password object.
      • id - The ID of the Container Registry token password.
      • password1 - The first password object of the token.
      • password2 - The second password object of the token.

system_assigned_mi_principal_id

Description: The system assigned managed identity principal ID of the parent resource.

Modules

The following Modules are called:

scope_maps

Source: ./modules/scope-map

Version:

Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.

Release History

Version 0.5.1 - 2026-01-15

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-containerregistry-registry/compare/v0.5.0...v0.5.1

Version 0.5.0 - 2025-09-09

No release notes were published in the GitHub Release for this version.

Version 0.4.0 - 2025-01-08

ACR retention policy can only be applied when using the Premium Sku

Version 0.3.1 - 2024-09-13

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-containerregistry-registry/compare/v0.3.0...v0.3.1

Version 0.3.0 - 2024-09-13

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-containerregistry-registry/compare/v0.2.0...v0.3.0

Version 0.2.0 - 2024-07-29

What's Changed

This is bug fix and minor update release. Support for diagnostic settings and content trust has been added.

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-containerregistry-registry/compare/0.1.0...v0.2.0

Version 0.1.0 - 2024-02-09

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-containerregistry-registry/commits/0.1.0

 
 {
  "workingFolder": "packages",
  "packages": [
    // packages defined earlier
    {
      "name": "avm-terraform/containerregistry-registry",
      "version": "0.5.1"
    }
  ]
}

This package has no dependencies

Stats

Selected version:

0.5.1

Downloads this version:

0

Downloads all versions:

0

Latest version:

0.5.1

Latest update:

16-01-2026

avm-terraform

Other versions (7)

0.5.1

0.5.0

0.4.0

0.3.1

0.3.0

0.2.0

0.1.0

Other packages

from avm-terraform

apimanagement-service

app-job

app-containerapp

View all from publisher

Ready to End Infrastructure Code Chaos?

Join infrastructure teams who've moved from scattered repositories to unified package management

Built by infrastructure experts
Who understand your challenges
Complete solutions
No scattered files
See what's deployed where
When it needs updates
Zero vendor lock-in
Packages work without us
Start Free Trial Book Live Demo Schedule Assessment
No setup fees or contracts Free migration assistance Cancel anytime with no penalties
Direct founder access Zero security incidents in 2+ years Works with any cloud, any CI/CD platform